proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev pgnet.dev at gmail.com
Tue Jun 2 04:58:26 UTC 2020


with patch applied, and 'proxy_ssl_server_name on;'

this is where the problem appears

	2020/06/02 00:50:08 [debug] 20166#20166: *3 verify:1, error:0, depth:2, subject:"/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=admin at example.com/CN=example.com_CA", issuer:"/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=admin at example.com/CN=example.com_CA"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 verify:1, error:0, depth:1, subject:"/C=US/ST=NY/O=example.com/OU=example.com_CA/CN=example.com_CA_INTERMEDIATE/emailAddress=admin at example.com", issuer:"/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=admin at example.com/CN=example.com_CA"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 verify:1, error:0, depth:0, subject:"/C=US/ST=NY/L=New_York/O=example.com/OU=example.com_CA/CN=test.example.net/emailAddress=admin at example.com", issuer:"/C=US/ST=NY/O=example.com/OU=example.com_CA/CN=example.com_CA_INTERMEDIATE/emailAddress=admin at example.com"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 ssl new session: 0E2A0672:32:1105
	2020/06/02 00:50:08 [debug] 20166#20166: *3 ssl new session: 31C878D7:32:1104
	2020/06/02 00:50:08 [debug] 20166#20166: *3 SSL_do_handshake: 1
	2020/06/02 00:50:08 [debug] 20166#20166: *3 SSL: TLSv1.3, cipher: "TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 reusable connection: 1
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http wait request handler
	2020/06/02 00:50:08 [debug] 20166#20166: *3 malloc: 0000555967A0B2E0:1024
	2020/06/02 00:50:08 [debug] 20166#20166: *3 SSL_read: 772
	2020/06/02 00:50:08 [debug] 20166#20166: *3 SSL_read: -1
	2020/06/02 00:50:08 [debug] 20166#20166: *3 SSL_get_error: 2
	2020/06/02 00:50:08 [debug] 20166#20166: *3 reusable connection: 0
	2020/06/02 00:50:08 [debug] 20166#20166: *3 posix_memalign: 00005559678F6460:4096 @16
	2020/06/02 00:50:08 [debug] 20166#20166: *3 posix_memalign: 00005559675113A0:4096 @16
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http process request line
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http request line: "GET /app1 HTTP/1.1"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http uri: "/app1"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http args: ""
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http exten: ""
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http process request header line
	2020/06/02 00:50:08 [info] 20166#20166: *3 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.net, request: "GET /app1 HTTP/1.1", host: "example.net"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http finalize request: 421, "/app1?" a:1, c:1
	2020/06/02 00:50:08 [debug] 20166#20166: *3 event timer del: 50: 3334703
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http special response: 421, "/app1?"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 http set discard body
	2020/06/02 00:50:08 [debug] 20166#20166: *3 headers more header filter, uri "/app1"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 lua capture header filter, uri "/app1"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 xslt filter header
	2020/06/02 00:50:08 [debug] 20166#20166: *3 charset: "" > "utf-8"
	2020/06/02 00:50:08 [debug] 20166#20166: *3 HTTP/1.1 421 Misdirected Request

noting

	2020/06/02 00:50:08 [info] 20166#20166: *3 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.net, request: "GET /app1 HTTP/1.1", host: "example.net"

now, need to stare at this and try to figure out 'why?'


More information about the nginx mailing list